b'        U.S. Department of Energy\n        Office of Inspector General\n        Office of Audit Services\n\n\n\n\nAudit Report\nCyber Security Risk Management\nPractice at the Southeastern,\nSouthwestern, and Western Area\nPower Administrations\n\n\n\n\nDOE/IG-0805                      November 2008\n\x0c                                 Department of Energy\n                                     Washington, DC 2 0 5 8 5\n\n                                     November 2 0 , 2008\n\n\nMEMORANDUM FOR\n\nFROM:\n                          lnspector General\n\nSUBJECT:                  Audit Report on "Cyber Security Risk Management Practices at\n                          the Southeastern, Southwestern, and Western Area Power\n                          Administrations"\n\nBACKGROUND\n\nThe Southeastern, Southwestern, and Western Area Power Administrations provide\nelectrical power to customers in 29 states. To support this critical function, the Power\nMarketing Administrations (PMAs) utilize infornlation systems to conduct various\nactivities, including financial management, marketing, and transferring wholesale\nelectrical power across the Nation\'s electrical grids. In particular, Southwestern and\nWestern operate supervisory control and data acquisition (SCADA) systems - systems\ncritical to controlling the flow of electricity to the power grid. The power grids are part\nof the U.S. critical infrastructure. Interruptions in these control systems for an extended\nperiod could adversely impact the PMAs\' customers.\n\nTo help identify and manage risk, all Federal entities are required to certify and accredit\n(C&A) their information systems. This formal process is designed to ensure that\ninformation systems are secure prior to beginning operation and that they remain so\nthroughout their lifecycle. The C&A process includes specific steps to recognize and\naddress risks, determine whether system security controls are in place and operating\neffectively, and ensure that changes to systems are adequately tested and approved. In\nlight of the growing threat to the security of information systems supporting critical\ninfrastructure, we initiated this audit to determine whether the cyber security programs at\nSouthwest, Southeastern, and Western adequately protected operational data and\ninformation systems.\n\nRESULTS\n-  ---     OF AUDIT\n\nSoutheastern, Southwestern, and Western had taken steps to strengthen their cybcr\nsecurity programs. Our review, however, identitied critical C&A process weaknesses\nthat could, if not adequately addressed, adversely impact the security of the PMA systems\nand the data they contain. In particular, these PMAs had not always:\n\n         Developed adequate security plans for each of the 12 systems we reviewed;\n\n         Ensured that physical and cyber security controls were tested and operating as\n         intended;\n\x0c         Developed corrective action plans necessary to resolve weaknesses in a number\n         of important control areas; and,\n         Dcveloped contingency plans to ensure that systems could be recovered in the\n         event of a significant outage.\n\nProblems with the certification of thcsc systems - some of which are integral to\ncontrolling electrical transmission to major portions of the Nation\'s power grids - were\nattributable to the PMAs\' failure to fully adopt a risk-bascd approach for implementing\nsecurity controls designed to satisfy Federal requirements. In addition, Southeastern,\nSouthwestern, and Western had not adequately emphasized the importance of a robust\ncyber security program through involvement of "system and information owners."\nImprovements are needed if PMA systems, specifically including those that support the\nNation\'s critical infrastructure, are to adequately protect against external attacks or insider\nthreats.\n\nEach of the PMAs had recognized problems with their cyber risk management programs\nand were taking action to address certain weaknesses. For instance, Southeastern\ninformed us that it is actively involving the system owners in updating security plans and\nre-certifying its systems. In addition, Southwestern had implementcd a process for\nidentifying and tracking corrective actions needed to address cyber security weaknesses.\nFurthermore, Western officials noted that they had completed the re-accreditation of four\nsystems and were in the process of implementing an automated tool to assist with C&A\nactivities.\n\nThese actions are positive steps that should help Southeastern, Southwestern, and\nWestern strengthen the protective measurcs applied to their critical information systems.\nAdditional action, however, is necessary, and our report contains several\nrecommendations that, if fully implemented, should I~elpthcm improve their overall\ncyber security posture.\n\nMANAGEMENT REACTION\n\nManagemcnt at Western and Southeastern generally concurred with the report\'s overall\nconclusions and rccomrnendations but offered clarifying remarks and disagreed with\ncertain conclusions. Southwcstcrn concurred with some of the report\'s recommendations\nbut did not believe certain conclusions and recommendations were applicable to its\norganization. \'The differences as to the conclusion reached during the audit were\nsignificant. We are hopeful that management will carefully review the facts disclosed\nduring the audit to resolve these matters. Management\'s comnlents arc more fully\ndiscussed in the body of the report and are included in their entirety in Appendix 3.\n\nAttachment\ncc: Acting Deputy Secretary\n    Administrator, Western Area Power Administration\n    Administrator, Southeastern Power Administration\n    Administrator, Southwestern Powcr Administration\n    Chief of Staff\n    Chief Information Officer\n    Chief Health, Safety and Security Ofticer\n\x0cREPORT ON CYBER SECURITY RISK MANAGEMENT\nPRACTICES AT THE SOUTHEASTERN, SOUTHWESTERN, AND\nWESTERN AREA POWER ADMINISTRATIONS\n\nTABLE OF\nCONTENTS\n\nProtection of Information Svstems\n\nIletails of Finding ................................................................................................................ 1\n\nRecommendations and Comments ...................................................................................... .7\n\nAppendices\n\n1.    Objective, Scope, and Methodology .......................................................................... 10\n\n2.     Prior Reports. .............................................................................................................. 12\n\n3.     Management Comments.. ................................................................... . I 3\n\x0cProtection of Information Systems\n\nEnsuring Security     The certification and accreditation (C&A) process is\nOver Information      designed to ensure that information systems are secure\nSystems               prior to beginning operation and that they remain so\n                      throughout their lifecycle. The C&A process includes\n                      formal steps to recognize and address risks, determine\n                      whether system security controls are in place and operating\n                      effectively, and ensure that changes to a system are\n                      adequately tested and approved. The National Institute of\n                      Standards and Technology (NIST) emphasizes the\n                      importance of an effective C&A process when developing\n                      and implementing information systems. Specifically, NIST\n                      notes that "The successful completion of the security\n                      certification and accreditation process provides agency\n                      officials with the necessary confidence that the information\n                      system has adequate security controls, that any\n                      vulnerabilities in the system have been considered in the\n                      risk-based decision to authorize processing, and that\n                      appropriate plans and funds have been identified to correct\n                      any deficiencies in the information system." Reporting\n                      instructions published annually by the Office of\n                      Management and Budget (OMB) for the Federal\n                      Information Security Management Act require that Federal\n                      organizations adhere to NIST cyber security related\n                      directives/guidance.\n\n                      Our review of the Southeastern, Southwestern, and Western\n                      Area Power Administrations (Southeastern, Southwestern,\n                      and Western, respectively) revealed that they had not fully\n                      implemented Federal requirements for certifying and\n                      accrediting a number of their systems. Specifically, we\n                      noted that system security plans were missing descriptions\n                      of key controls needed to protect information. In addition,\n                      testing of security controls was often not conducted,\n                      insufficient, or was not appropriately documented.\n                      Corrective action plans were also not always developed to\n                      address identified weaknesses in a timely manner and\n                      contingency plans were not always complete and up-to-\n                      date.\n\n                                           Security Planning\n\n                      We identified problems with the security planning process\n                      at each of the three Power Marketing Administrations\n                      (PMAs) reviewed. Specifically, Western allowed system\n                      accreditations to expire for a number of its systems. While\n                      systems should be re-accredited for operation at least once\n\n________________________________________________________________\nPage 1                                            Details of Finding\n\x0c                      every three years to account for changes in technology and\n                      related risks, Western had permitted accreditations to\n                      expire for 6 of 15 systems. Western officials noted that\n                      they had completed the re-accreditation of four of these\n                      systems subsequent to our site visit, but efforts to re-\n                      accredit the other two systems remained incomplete at the\n                      time we completed our review.\n\n                      We also found that security plans had not been fully\n                      developed for various systems at each of the PMAs. For\n                      instance, Southwestern officials stated that three sub-\n                      systems approved as part of a larger general support system\n                      had security requirements distinct from one another.\n                      However, these specific controls were not adequately\n                      described in the general support system security plan.\n                      These elements were not included even though NIST\n                      directs that additional security controls specific to minor\n                      applications be documented in the system security plan for\n                      the major system. In addition, the security plan for\n                      Southeastern\'s Operations Center System did not contain\n                      detailed descriptions of required security controls as\n                      specified by NIST. At Western, the Desert Southwest\n                      supervisory control and data acquisition (SCADA) system\n                      security plan did not describe the controls planned or\n                      implemented to address at least two important user\n                      authentication areas. However, Western officials\n                      recognized this problem and had taken action to modify the\n                      security plan.\n\n                                        Security Control Testing\n\n                      We also identified problems with security control testing.\n                      Specifically, certification testing \xe2\x80\x93 a detailed review of an\n                      information system\'s security controls generally performed\n                      every three years \xe2\x80\x93 was not adequately conducted, and\n                      annual self-assessments of security controls were not\n                      always completed. Without adequate control testing,\n                      management lacked assurance that security controls were\n                      operating as intended.\n\n                      Although all three PMAs conducted control testing on their\n                      major systems during system certification activities, testing\n                      was sometimes inadequate or conclusions reached did not\n                      reflect the actual status of the control environment. For\n                      instance, a Southeastern official noted that an evaluation\n                      conducted by the Department of Energy\'s (Department)\n                      Office of Health, Safety and Security (HSS) constituted the\n________________________________________________________________\nPage 2                                            Details of Finding\n\x0c                      certification activities for all its systems. However, an HSS\n                      official stated that their reviews do not test all applicable\n                      NIST controls and are not meant to be a substitute for\n                      certification testing. In Southwestern\'s case, it relied only\n                      on discussions of controls rather than physically testing\n                      them to ensure their effectiveness. While this approach may\n                      have been appropriate for low-risk systems, it did not\n                      provide adequate assurance that security controls were\n                      correctly implemented and operating as intended on\n                      systems having higher risk ratings such as the financial and\n                      SCADA systems. In Western\'s case, we identified\n                      discrepancies between the certification agent\'s assessment\n                      and security documentation for each of the seven systems\n                      reviewed. Western explained that the discrepancies were\n                      due to a timing lag between testing, updating, and\n                      finalizing corresponding documentation. However, without\n                      accurate information, Western may not have taken\n                      necessary actions to correct weaknesses. Thus, responsible\n                      officials at all three PMAs may have been prevented from\n                      effectively taking actions to correct security control\n                      weaknesses that could have been exposed by testing.\n\n                      While NIST notes that an effective information security\n                      program includes testing and evaluation of security controls\n                      at least annually, Southeastern and Western had not\n                      conducted thorough annual self-assessments on any of the\n                      systems reviewed in years when certification testing had\n                      not occurred. In Southeastern\'s case, although NIST\n                      guidance was used to perform a self-assessment consisting\n                      of a table-top exercise, the results of the assessment\n                      contained no explanations as to how the assessment team\n                      arrived at its conclusions or whether all necessary system\n                      security controls had been examined. Western also did not\n                      conduct annual self-assessments consistent with NIST\n                      guidance. To compensate for this, Western has\n                      implemented a continuous monitoring program that always\n                      assessed the same subset of controls each year. However,\n                      this process did not meet the OMB requirement that\n                      "Agencies should develop an enterprise-wide strategy for\n                      selecting subsets of their security controls to be monitored\n                      on an ongoing basis to ensure all controls are assessed\n                      during the three-year accreditation cycle." Notably,\n                      Southwestern adequately tested security controls as part of\n                      its self-assessment activities.\n\n\n\n\n________________________________________________________________\nPage 3                                            Details of Finding\n\x0c                                           Corrective Actions\n\n                      Although OMB requires that plans of action and milestones\n                      (POA&M) be developed to assist in identifying, assessing,\n                      prioritizing, and monitoring the progress of corrective\n                      efforts for security weaknesses found in programs and\n                      systems, Western and Southeastern had not developed\n                      comprehensive plans to address weaknesses in a number of\n                      control areas. Specifically, at Western, plans for certain\n                      systems were missing weaknesses identified during the\n                      certification process. Additionally, Southeastern\'s\n                      corrective action plans did not contain any of 49 findings\n                      identified through an independent third-party\'s risk\n                      assessment, including five "high priority" findings. One\n                      weakness identified by the Office of Inspector General\n                      during a recent financial audit was also not tracked.\n\n                      Even when high-level POA&Ms were developed, they\n                      lacked essential information for monitoring the correction\n                      of identified weaknesses. For five of seven systems\'\n                      POA&Ms reviewed at Western, information such as target\n                      completion dates and responsible individuals were missing.\n                      Moreover, although Western tracked certain corrective\n                      actions, steps taken did not always correct the identified\n                      weakness. For instance, weaknesses relevant to access\n                      controls in Western\'s business decision support system\n                      were determined to be corrected even though the actions\n                      taken did not meet the security requirements set forth in the\n                      system security plan. To its credit, we found that\n                      Southwestern had implemented an effective corrective\n                      action process to address its security weaknesses.\n\n                                         Contingency Planning\n\n                      Responsible officials had not fully considered interim\n                      measures for recovering information technology services\n                      following an emergency or system disruption. Specifically,\n                      we found that contingency plans at Southeastern were\n                      inadequate for use in the recovery from a system\n                      disruption. For example, contingency plans for each of the\n                      three systems reviewed did not discuss the need for backup\n                      media and did not outline specific duties for each role as\n                      defined in the plan. In addition, while officials at Western\n                      commented that plans had been developed for certain\n                      systems, they were unable to provide such documentation\n                      during our site visit. Subsequent to our site visit, Western\n                      provided documentation to support the existence of\n________________________________________________________________\nPage 4                                            Details of Finding\n\x0c                        contingency plans for each of the systems reviewed.\n                        However, the documentation provided indicated that three\n                        contingency plans had not been updated for at least three\n                        years and two plans were still in draft. In contrast,\n                        Southwestern developed and tested contingency plans for\n                        each of its information systems.\n\nSecurity Approach and   Many of the weaknesses identified occurred because\nSystem Owner            management had not fully adopted a risk-based approach\nInvolvement             for implementing security controls over its information\n                        systems in accordance with Federal requirements. In\n                        addition, inconsistent involvement from system and\n                        information owners contributed to inadequate\n                        documentation and testing of cyber security controls.\n\n                                           Risk-Based Approach\n\n                        Although required by NIST, Southeastern and Western\n                        management did not emphasize the importance of utilizing\n                        a risk-based, life-cycle approach to manage cyber security.\n                        In particular, these two PMAs addressed security plans and\n                        tested the controls only during the certification process,\n                        which generally occurs only every three years. For\n                        example, Southeastern\'s security plans had not been\n                        updated since June 2006 and control testing was completed\n                        only in years when certification testing occurred. In\n                        Western\'s case, the certification agent developed and tested\n                        security plans for systems while certification activities were\n                        occurring, but system owners did not conduct assessments\n                        throughout the accreditation period.\n\n                        Additionally, responsible officials had not appropriately\n                        prioritized the application of resources towards cyber\n                        security activities. Specifically, Western attempted to\n                        implement all NIST controls on each of its systems\n                        separately, rather than identifying those security controls\n                        common to multiple systems. This unnecessary and\n                        duplicative effort contributed to many of the problems\n                        identified at Western. In another instance, system owner\n                        representatives at Western chose to dedicate resources to\n                        identifying and testing certain controls to meet the\n                        requirements of OMB Circular A-123 and North American\n                        Electric Reliability Corporation critical infrastructure\n                        protection standards. As a consequence, the certification\n                        agent experienced difficulty in assisting system owners to\n                        timely certify and accredit their systems.\n\n________________________________________________________________\nPage 5                                            Details of Finding\n\x0c                              System and Information Owner Involvement\n\n                       Although NIST directs that information and system owners\n                       actively participate in the security planning process, an\n                       official at Western noted that information owners were not\n                       always involved in carrying out their responsibilities to\n                       define and document security requirements for their\n                       SCADA systems. We noted that Western management\n                       assigned only two individuals to certify 15 systems\n                       scattered over its 4 widely dispersed regional offices,\n                       leaving them to conduct risk assessments, develop security\n                       plans, and perform control testing to the extent practical.\n                       Consequently, Western\'s certification testing was often\n                       inadequate and nearly half of its system accreditations had\n                       expired. However, as previously noted, Western had\n                       recently made progress toward re-accrediting its systems.\n\n                       In addition, Southeastern and Southwestern officials stated\n                       that system and information owners could not participate in\n                       the creation of system security plans or testing of security\n                       controls because they did not understand the requirements\n                       imposed by the Federal Information Security Management\n                       Act. However, without the owners\' involvement, cyber\n                       security officials were forced to make assumptions about\n                       what security controls, testing, and documentation would\n                       meet the owners\' information protection needs. For\n                       example, security officials developed security plans that did\n                       not adequately reflect the system control environment.\n                       Southeastern noted that it had begun to actively involve the\n                       system owners in updating security plans and re-certifying\n                       its systems.\n\nInformation Security   Without improvements, critical information systems\nand Assurance          maintained by Southeastern, Southwestern, and Western\n                       could be disrupted. The need for a strong risk-management\n                       program becomes apparent when one considers that the\n                       number of cyber security incidents reported to the\n                       Department\'s Computer Incident Advisory Capability is at\n                       its highest level in three years. A further illustration of the\n                       importance of a robust cyber security program is shown in\n                       the results of a 2004 report regarding inappropriately\n                       protected systems. The report noted that the number of\n                       externally generated cyber incidents related to control\n                       systems had increased significantly in past years. In\n                       addition to these reported external attacks, these PMAs\'\n                       systems could also be impacted by inadvertent or malicious\n                       acts of insiders, or disgruntled former employees. Without\n________________________________________________________________\nPage 6                                            Details of Finding\n\x0c                     complete information, individuals responsible for\n                     approving systems for operation may continue to do so\n                     without fully understanding the risks associated with not\n                     implementing certain security controls.\n\nRECOMMENDATIONS      To address the issues identified in this report, we\n                     recommend that the Southeastern, Southwestern, and\n                     Western Administrators:\n\n                        1. Establish a risk-based, life-cycle approach for\n                           implementing information security programs that\n                           allows management and information owners to\n                           make informed and cost-effective decisions, to\n                           include:\n\n                                a. Fully developing security plans to describe\n                                   all relevant controls and ensuring that\n                                   systems are timely accredited for operation;\n                                   and,\n\n                                b. Verifying that necessary security controls\n                                   are sufficiently tested for each system, to\n                                   include conducting annual control\n                                   assessments and ensuring that conclusions\n                                   reached are supported by the test results.\n\n                        2. Re-evaluate how to apply entity resources toward\n                           information security program efforts, to include\n                           actively engaging system and information owners\n                           outside of the cyber security function in risk-based\n                           decisions.\n\n                     To further refine their risk-based approach, we also\n                     recommend that the Southeastern and Western\n                     Administrators:\n\n                        3. Maintain complete plans of action and milestones,\n                           to include updated corrective action plans for all\n                           identified weaknesses; and,\n\n                        4. Revise and update system contingency plans, as\n                           appropriate.\n\n\n\n\n________________________________________________________________\nPage 7                              Recommendations and Comments\n\x0cMANAGEMENT           Management at Western and Southeastern generally\nREACTION AND         concurred with the report\'s overall conclusions and\nAUDITOR COMMENTS     recommendations, but offered clarifying remarks and\n                     disagreed with certain conclusions. Southwestern\n                     concurred with some of the report\'s recommendations, but\n                     did not believe certain conclusions and recommendations\n                     were applicable to its organization.\n\n                     Management\'s proposed and stated actions are generally\n                     responsive to our recommendations. Based on\n                     management\'s comments, we modified our report where\n                     appropriate and updated the recommendations to better\n                     reflect observations relevant to each PMA. We have also\n                     made a number of other technical changes to our report to\n                     address management\'s comments.\n\n                     In reference to specific comments made by each of the\n                     PMAs, management reaction and the auditor responses\n                     follow. Management\'s comments are included in their\n                     entirety in Appendix 3.\n\n                                 Western Area Power Administration\n\n                     Western generally concurred with the report\'s overall\n                     conclusion and recommendations and indicated that it had\n                     made progress toward correcting the issues identified in our\n                     report. Although Western believed that its overall cyber\n                     security program was effective, management commented\n                     that it continues to strive to improve its cyber security\n                     program and documentation processes.\n\n                     Management\'s proposed and stated actions are responsive\n                     to our recommendations. We continue to believe that the\n                     implementation of a strong C&A process will enhance\n                     Western\'s ability to protect its systems.\n\n                                 Southeastern Power Administration\n\n                     Southeastern generally agreed with the report\'s overall\n                     conclusion and concurred with our recommendations.\n                     Management commented that statements in our report\n                     relating to critical infrastructure systems are not relevant to\n                     Southeastern because it does not maintain transmission\n                     lines and SCADAs. Management believed that its cyber\n                     security program has made significant improvements in\n                     recent years, including completion of an independent risk\n\n________________________________________________________________\nPage 8                                                 Comments\n\x0c                     assessment and efforts to rewrite security documentation.\n                     In addition, Southeastern acknowledged that it had not\n                     properly documented control testing and did not maintain\n                     adequate documentation to support the tracking of\n                     corrective actions taken to address security weaknesses.\n\n                     Management\'s proposed and stated actions are generally\n                     responsive to our recommendations. While we agree that\n                     Southeastern does not maintain systems supporting the\n                     nation\'s critical infrastructure, our report discussed\n                     weaknesses relating to the organization\'s other information\n                     systems. We also agree that Southeastern has taken action\n                     to improve its cyber security posture.\n\n                                 Southwestern Power Administration\n\n                     Southwestern disagreed with a number of conclusions and\n                     recommendations included in the report. Although\n                     Southwestern agreed that the effective use of the C&A\n                     program is an important tool to measure the effectiveness\n                     of its cyber security program, it did not believe that broad\n                     conclusions could be drawn from the scope of our audit\n                     work. Management commented that it could not concur\n                     with a number of our recommendations because it was not\n                     clear which recommendation applied directly to\n                     Southwestern. In particular, management believed that\n                     security controls were appropriately tested and that\n                     POA&Ms were developed for all identified weaknesses.\n                     Southwestern noted that it will improve communication\n                     between system owners and cyber security officials.\n\n                     Management\'s proposed and stated actions are generally\n                     responsive to our recommendations. We updated the\n                     recommendations to better reflect their applicability to each\n                     PMA. We continue to believe that the conclusions reached\n                     in our report are adequately supported by the audit work\n                     conducted. In particular, improvements are needed to\n                     ensure that security plans accurately reflect the controls to\n                     be implemented for each information system. In addition,\n                     as noted in our report, the process used by Southwestern to\n                     test security controls was not always effective. Further, we\n                     agree that Southwestern had implemented an effective\n                     process for tracking identified security weaknesses.\n\n\n\n\n________________________________________________________________\nPage 9                                                 Comments\n\x0cAppendix 1\n\nOBJECTIVE              To determine whether the Southeastern, Southwestern, and\n                       Western Area Power Administration (Southeastern,\n                       Southwestern, and Western respectively) cyber security\n                       programs adequately protected their data and information\n                       systems.\n\nSCOPE                  The audit was performed between October 2007 and August\n                       2008 at the Western corporate offices. Information was also\n                       obtained from the Southwestern and Southeastern Power\n                       Administrations.\n\nMETHODOLOGY            To accomplish our objective, we:\n\n                          \xe2\x80\xa2   Reviewed Federal regulations, Department of Energy\n                              (Department) directives, critical infrastructure\n                              protection standards, and guidance pertaining to\n                              certification and accreditation of information systems;\n\n                          \xe2\x80\xa2   Reviewed prior reports issued by the Office of\n                              Inspector General, the Government Accountability\n                              Office, and the Department\'s Office of Health, Safety\n                              and Security;\n\n                          \xe2\x80\xa2   Reviewed program-level policies relevant to security of\n                              information systems;\n\n                          \xe2\x80\xa2   Held discussions with program officials from each of\n                              the Power Marketing Administrations (PMAs); and,\n\n                          \xe2\x80\xa2   Selected 12 systems for review to determine whether\n                              relevant cyber security requirements had been\n                              implemented.\n\n                       We conducted this performance audit in accordance with\n                       generally accepted Government auditing standards. Those\n                       standards require that we plan and perform the audit to obtain\n                       sufficient, appropriate evidence to provide a reasonable basis\n                       for our findings and conclusions based on our audit objectives.\n                       We believe the evidence obtained provides a reasonable basis\n                       for our findings and conclusions based on our audit objectives.\n                       The audit included tests of internal controls and compliance\n                       with laws and regulations to the extent necessary to satisfy the\n                       audit objective. Because our review was limited, it would not\n                       necessarily have disclosed all internal control deficiencies that\n                       may have existed at the time of our audit. We also assessed\n                       performance measures in accordance with the Government\n\n________________________________________________________________\nPage 10                             Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                      Performance and Results Act of 1993 relevant to security\n                      over information systems. We found that Southwestern\n                      had established measures specific to this area, while the\n                      other two PMAs had not. We did not rely on computer-\n                      processed data to satisfy our audit objective. An exit\n                      conference was held with Southeastern on November 12,\n                      2008. Western and Southwestern waived an exit\n                      conference.\n\n\n\n\n________________________________________________________________\nPage 11                            Objective, Scope, and Methodology\n\x0cAppendix 2\n\n                                    PRIOR REPORTS\n\nOffice of Inspector General Reports\n    \xe2\x80\xa2 Special Report on Management Challenges at the Department of Energy (DOE/IG-\n      0782, December 2007). The Office of Inspector General (OIG) identified seven\n      significant management challenges facing the Department of Energy (Department),\n      including cyber security. The report noted that although the Department had in place\n      an aggressive effort to address existing weaknesses, we continued to identify\n      deficiencies, including problems relevant to the Department\'s certification and\n      accreditation (C&A) of unclassified information systems.\n    \xe2\x80\xa2 Evaluation Report on the Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2007\n       (DOE/IG-0776, September 2007). The evaluation identified continued deficiencies\n      in the Department\'s cyber security program that exposed its critical systems to an\n      increased risk of compromise. In particular, weaknesses existed relevant to system\n      C&A, contingency planning, access controls, configuration management, and change\n      controls. Problems occurred, at least in part, because Department organizations had\n      not always ensured that Federal requirements, Department policies, and cyber\n      security controls were adequately implemented and conformed to Federal\n      requirements, most notably by field organizations and facility contractors.\n    \xe2\x80\xa2 Audit Report on Certification and Accreditation of Unclassified Information Systems\n       (DOE/IG-0752, January 2007). Many systems were not properly certified and\n      accredited prior to becoming operational. For example, nine of 14 sites reviewed had\n      not always properly categorized security levels or risk of damage to major or general\n      support systems and information contained within, or had not adequately tested and\n      evaluated security controls. In many instances, senior agency officials accredited\n      systems although required documentation was inadequate or incomplete, such as\n      incomplete inventories of software and hardware included within defined\n      accreditation boundaries.\n    \xe2\x80\xa2 Audit Report on Management Controls over Selected Departmental Critical\n       Monitoring and Control Systems (OAS-M-05-06, June 2005). The Department could\n      not ensure that it could continue operations or quickly restore selected critical\n      monitoring and control systems in the event of an emergency. Specifically,\n      management had not fully assessed risks or taken adequate steps to mitigate the\n      foreseeable risks confronting the six critical monitoring and control systems\n      reviewed. This issue occurred because site management had not sufficiently\n      considered and periodically evaluated the risk that critical monitoring and control\n      systems would become inoperable and unable to be restored in a timely manner.\n    \xe2\x80\xa2 Audit Report on Power Marketing Administration Infrastructure Protection\n      (OAS-B-03-01, April 2003). Western Area Power Administration (Western) and\n      Southwestern Power Administration had not adequately assessed the vulnerabilities\n      and risks for their critical assets. Vulnerability and risk assessments at Western were\n      inadequate because management was primarily concerned about recovering from any\n      disruption in operations, regardless of its source.\n\n________________________________________________________________\nPage 12                                               Prior Reports\n\x0cAppendix 3\n\n\n\n\n________________________________________________________________\nPage 13                                      Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\n________________________________________________________________\nPage 14                                      Management Comments\n\x0c Appendix 3 (continued)\n\n\n\n\n_________________________________________________________________\n Page 15                                          Management Comments\n\x0c Appendix 3 (continued)\n\n\n\n\n_________________________________________________________________\n Page 16                                          Management Comments\n\x0c Appendix 3 (continued)\n\n\n\n\n_________________________________________________________________\n Page 17                                          Management Comments\n\x0c Appendix 3 (continued)\n\n\n\n\n_________________________________________________________________\n Page 18                                          Management Comments\n\x0c                                                             IG Report No. DOE/IG-0805\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\n\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland-Smith (202) 586-7828.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                  http://www.ig.energy.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'